ensuring hipaa compliance when transmitting phi...

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Ensuring HIPAA Compliance When Transmitting

PHI via Patient Portals, Email and Texting Protecting Patient Privacy, Complying With State and Federal Regulations,

and Meeting Meaningful Use Stage 2 Standards

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

WEDNESDAY, FEBRUARY 15, 2017

Ryan P. Blaney, Member, Cozen O’Connor, Washington, D.C.

Kim C. Stanger, Partner, Holland & Hart, Boise, Idaho

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-927-5568 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or Cozen O’Connor or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP and Cozen O’Connor. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.

6

Overview of Presentation

Introduction & State of the Industry

Patient Portal Design & Contracting

Patient Portals Pitfalls

7

Consumer-focused Health Care???

Facts & Stats

8

Patient Interaction & Partnership

• 84% of US consumers with smart

phones/home computers – want access

to electronic medical records

• 41% willing to switch doctors over issue

• 70% of consumers believe it’s important

to be able to consult their providers via

email. – See Kaveh Safavi, M.D., J.D., Accenture Consumer

Survey on Patient Engagement, Sept. 2013.

9

What is a Patient Portal?

• A secure online

website that gives

you 24-hour access

to your personal

health information

and medical records

10

Outcomes-Based Healthcare

• Affordable Care Act

• New Payment Models (e.g., MSSPs)

• Data-Driven Care Delivery

– Enabling interoperability and meaningful

use of health IT.

12

What did HITECH do for Portals?

• In 2009, the HITECH Act – accelerates

the changing healthcare landscape.

– To qualify for payments from Medicare &

Medicaid EHR Incentive Program, health

care providers have accelerated the

implementation of EHR.

13

Meaningful Use Measures

• Patient portals are a way to meet the

meaningful use requirements (“measures”) • Core measures - i.e., providing patients with an electronic

copy of their health information; providing clinical summaries

for each office visit

• Menu measures – i.e., providing patients with timely

electronic access to their health information; patient-specific

education resources

14

HIPAA

• “Treatment purposes”: 45 C.F.R.

Section 164.506

• Business Associate Agreement (BAA)

• Third-Party Access to data

• Minimum Necessary Requirement

• Consent

15

Minimum Necessary Rule

• Covered Entities must make reasonable

efforts not to use or disclose more than

the minimum amount of health

information necessary to accomplish the

intended purpose of the disclosure

• With limited exceptions, the standard

generally applies to all uses and

disclosures of health information 45 CFR § 164.502(b)

16

What is PHI?

• Protected Health Information (PHI) is

individually identifiable health

information that is in all forms – paper,

oral, or electronic.

• PHI excludes employment records held

by an employer in it role as an employer

(e.g., physician's note)

17

What is Health Information?

• Health information includes any

information created by a health care

provider, health plan, employer, school

or university

– And that relates to past, present, or future

physical or mental health or condition of the

individual,

– The provision of health care to the

individual, or

– The past, present, or future payment for

health care to the individual 18

What makes Health Information

“Individually Identifiable”? • Names

• Medical Record Numbers

• Social Security Numbers

• Account Numbers

• License/Certification numbers

• Vehicle Identifiers/Serial numbers/License plate numbers

• Internet protocol addresses

• Health plan numbers

• Full face photographic images and any comparable images

• Web universal resource locaters

(URLs)

• Any dates related to any individual

(date of birth)

• Telephone numbers

• Fax numbers

• Email addresses

• Biometric identifiers including finger

and voice prints

• Any other unique identifying number,

characteristic or code

19

20

What is a Business Associate

(“BA”)? • Definition:

– A person who (i) performs for or on behalf of a covered entity, or assists a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity

• Includes anyone with health information from your health plans, providers and covered entities (could include attorneys, consultants, third party administrators, auditors, computer software service companies)

21

What are the Business Associate

Rules?

22

Contracting

• Don’t just sign the standard contract

placed in front of you!

• Pay attention to clauses/provisions:

– Who owns the data?

– Term and renewal

– Indemnification

– Limitations on Liability

– Reporting requirements and breaches

– Termination and data (discussed later)

23

Tips for Drafting &

Negotiating BAAs • Reporting requirements and timing (the

parties can and should agree on shorter

periods)

• Review the underlying services agreement

and modify services agreement and BAA to

be consistent

• Agency and subcontractor provisions

• Indemnification clauses

• Breach notification costs and responsibilities

• Termination and destruction of PHI

24

OCR Sample BAA Terms

BAA: Pro-Covered Entity Terms

• Covered entities may want to add these terms:

– Business associate must report or act within x days.

– Business associate must implement policies.

– Business associate must encrypt or implement other safeguards.

– Business associate must carry data breach insurance.

– Business associate notifies individuals of breaches and/or reimburses covered

entity for costs of the notice.

– Business associate defends and indemnifies for losses, claims, etc.

– Business associate is an independent contractor, not agent.

– Business associate assumes liability for subcontractors.

– Allow termination of underlying agreement.

– Must have consent to operate outside the United States.

– Covered entity has right to inspect and audit.

– Cooperate in HIPAA investigations or actions.

* Business associate may want these in subcontracts.

26

BAA: Pro-BA Terms • Business associates and subs probably want to add these:

– Covered entity will not disclose PHI unless necessary.

– Covered entity will not request action that violates HIPAA.

– Covered entity has obtained necessary authorizations.

– Covered entity will not agree to restrictions on PHI that will adversely affect

business associate.

– Covered entity will notify business associate of all such restrictions.

– Covered entity will reimburse for additional costs.

– Blanket reporting for security incidents.

– Specify business associate does not maintain designated record set.

– Reserve the right to terminate based on restrictions or other change that

adversely affects business associate.

– Subcontractors are independent contractors, not agents.

– Mutual indemnification.

– Limitation or cap on damages.

27

Business Associates

• Covered entity is liable for acts of business associate if:

– Knew or should know that business associate is

violating HIPAA and covered entity fails to act; or

– Business associate is the covered entity’s agent.

• Make sure business associate is an independent

contractor, not an agent.

– Business associate agreement should confirm same.

– Make sure you do not control method and manner of

business associate’s functions.

28

Business Associates

OCR targeting business associate issues, e.g.:

• Group paid $750K for no BAA after BA lost films.

• Hospital paid $1.55M for no BAA after BA lost laptop.

• Hospital system paid $400K for failing to update BAA to

include Omnibus Rule terms.

Make sure you have current,

updated BAAs in place with

your business associates!

29

HIPAA Audits

“HIPAA Compliance is like middle school math – you must show your work”

– Leon Rodriguez, Director Office of Civil Rights

•HIPAA related recordkeeping is essential.

•Audit: Leverage OCR’s HIPAA Privacy, Security and Breach Audit Protocol available online.

•Assessments: analysis of vulnerabilities, data criticality, remediation strategies and process for determining and accepting risks in the organization.

30

Breaches

The Omnibus Rule made significant changes to the interim final breach notification rule by:

•Adding a presumption that any unauthorized use or disclosure of unsecured PHI is a breach

•Removing the prior “risk of harm“ standard.

•Requires Covered Entities to evaluate and demonstrate that “low probability” PHI has been “compromised” otherwise notification to patients required

* 31

How? Sources of Data Breach

Source: Ponemon Institute LLC

2014 Cost of Data Breach Study: Global Analysis (IBM sponsored)

http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/

32

What cyber criminals have

already taken… • Intellectual Property – Loss varies on nature of

industry

• State Secrets – Destabilizing American infrastructure

• Medical Records – Average Black Market Value =

$60 > cc

• Credit Cards – PCI violations range from $10K -

$100K

• Identity Theft – Companies pay approx. $180 per

compromised customer

• Corporate Espionage – Loss of contracts = loss of

revenue

33

Costs of Data Breaches

• $145/record, avg. of > 28k records

(Ponemon Institute Survey)

• $159 when caused by malicious attacks

(Ponemon Institute Survey)

• Average financial impact to surveyed

companies with for one or more

incidents = $3.5 million

34

Patient Portal Risk Areas

• Security

• “User error”

– By patients

– By staff

35

Designing Portal

• Keep it simple and user friendly.

– Portal is no good if patients or staff can’t or won’t use it.

– May lead to non- or miscommunication and frustration.

• Ease of use > Complex functionality

36

Determine Functionality

• Communicate via e-mail

• Appointment reminders

• Schedule non-urgent appointments

• Request prescription refills

• Check benefits and coverage

• Update contact info

• Make payments

• Download and complete forms

• Access records

– Which records?

Fun

ctio

na

lity

37

Limit Access to Some Records

• Portal Access < Patient’s Right of Access

• Under HIPAA, may limit access to PHI if:

– Not part of designated record set

– Psychotherapy notes

– Obtained under a promise of confidentiality

– Access may cause substantial harm to patient or other

person.

(45 CFR 164.524(a))

• May limit access to additional records in portal.

• Create a process to flag or limit access to certain

records.

38

Limit Access to Some Records

• Check other laws for additional limits.

– State laws

• HIV/STDs

• Mental health

• Substance abuse

• Genetic tests

– Federally funded drug and alcohol programs have

additional limits (see 42 CFR part 2)

– Others?

39

Access by Others

• Parents or personal representatives

• Third parties

40

Access by Personal Reps

• Under HIPAA, personal representative has the right

to access patient info.

– Personal Rep = Patient

• “Personal representative” = person with authority

under state law to make decisions concerning the

patient’s health care.

– Parent of unemancipated minor

– Legal guardian or surrogate of incompetent patient

– Others per state law (45 CFR 164.502(g))

41

Access by Personal Reps

• May (should) deny personal rep access if:

– Minor reaches age of majority.

– Patient may consent to their own care under state law,

e.g., minor seeks care for:

• Sexually transmitted disease

• Drug or alcohol treatment

• Mental health

• Reproductive health

– Parent or guardian agrees to confidentiality.

– Provider determines that allowing personal rep to

access may endanger patient or not in patient’s interest. (45 CFR 164.502(g))

Check state law

42

Access by Personal Reps

• Build in limits to portal access by personal reps, e.g.:

– Patient age 0-12: parents may access all records

– Patient age 12-17: hold back or restrict parental access to

certain sensitive records, e.g.,

• Women’s health

• Psychiatry

• Substance abuse

• Others for which patient may consent on their own

– Age 18 and over: terminate parental right to access unless:

• Patient did not object and relevant to parent’s involvement.

• Patient authorization or consent.

• Check state law!

43

Access by Third Parties

• Warn patient against allowing third parties to use password.

• As practical matter, patient may allow anyone to access.

– Provider may disclose to family members and others involved

in care if patient does not object. (45 CFR 164.510)

• Provider may not knowingly allow third parties to access

unless HIPAA exception applies, e.g.,

– HIPAA-compliant authorization. (45 CFR 164.508)

– Patient directs that PHI sent to third party. (45 CFR 164.524)

– Family members and others involved in care so long as

patient has not objected. (45 CFR 164.510)

– Personal representative. (45 CFR 164.502)

– Other?

44

Access by Third Parties

• Options:

– Allow third party to use patient’s user name and

password.

• Perhaps problems with Security Rule requiring unique user ID.

– Give third party their own user name and password if

patient agrees.

• HIPAA authorization. (45 CFR 164.508)

• Patient request to disclose. (45 CFR 164.524)

– Set up separate account with different parameters, e.g.,

allow proxy to view but not change any fields.

45

Security of Portal

• Ensure portal complies with HIPAA Security Rule if

transmitting PHI.

46

Security of Portal

• See security rule requirements, especially those related to

access controls.

• Unique user ID

• Automatic logoff

• Integrity

• Authentication

• Transmission security

• Encryption and decryption

(45 CFR 164.312)

• Use software that is certified as compliant by the Office of

the National Coordinator for Health Info Technology.

47

Security of Portal • Encryption is an addressable standard:

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to [ePHI] that is being transmitted over an electronic communications network.

(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

(45 CFR 164.312)

• ePHI that is properly encrypted is “secured”.

– Not subject to breach reporting per 45 CFR 164.400.

• OCR presumes that loss of unencrypted data, laptop, USB, mobile device is reportable breach.

48

Security of Portal

• Initial authentication

– In-person: check identity and set up portal access in

person during appointment.

– Online or remote: check identity through asking

questions (e.g., nature of last bill, last four digits of SSN,

etc.)

• Log-in authentication

– User name + password.

– Multi-factor authentication, e.g., password and sending

code to cell phone.

– Consider giving patient option. 51

Security of Portal

• Manage passwords

– Consider strength of password required.

– Establish response to consecutive failed login attempts.

– Establish rules for password resets.

– Prohibit sharing of passwords.

52

Security of Portal

• Test portal frequently.

– Penetration testing.

• Audit usage.

• Include portal in regular risk assessment.

– Risk of intercept during transmission.

– Risk of unauthorized access through portal.

53

Communicating by E-mail or Text

• Rules differ between communication with patients

or other providers, third parties. 55

E-mails and Texts

• HIPAA Privacy Rule allows resident to request communications by alternative means or at alternative locations.

– Including unencrypted e-mail. (45 CFR 164.522(b))

• Omnibus Rule commentary states that covered entity or business associate may communicate with resident via unsecured e-mail so long as they warn resident of risks and resident elects to communicate via unsecured e-mail to text.

(78 FR 5634)

56

57

E-mails and Texts

Can you use texting to communicate health information, even if it is to another provider or professional?

Answer: It depends. Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages. However, your organization may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.

(HealthIT.gov FAQ) 58

Integrate Portal

Communications

• Ensure portal communications are incorporated

into the medical record.

– Relays information to providers who review record.

– Documents communications with patients to protect

providers.

– Supports reimbursement.

59

Educate Patients

• Functionality and limits of portal.

– Information that should/should not be shared through portal.

• Risks associated with portal.

60

Educate Patients Appropriate Topics for E-mail Inappropriate Topics for E-mail

• Appointment reminders. • Requests for prescription

refills. • Data used for chronic disease

management such as vital signs.

• Short questions that may be answered briefly.

• Short, patient-initiated updates about non-urgent clinical treatment matters (e.g., “started the medication; no side effects).

• Urgent or time-sensitive information.

• Sensitive and highly confidential subjects (e.g., HIV, psychiatric symptoms, etc.).

• Complex concerns or matters requiring extended exchange.

61

Educate Patients

• Disclaimers or warnings:

– Cannot create patient-physician relationship through e-

mail.

– No internet-based diagnosis

– Do not use portal for urgent messages.

• In emergency, contact emergency room directly.

– May be delay in response to e-mail.

– Info provided through portal may be seen by others, e.g.,

• Those who access the patient’s device.

• Those to whom the patient shares access.

• Info submitted that becomes part of the medical record.

62

Educate Patients

• Disclaimers or warnings:

– Protect passwords and do not share with others.

– E-mails and texts outside portal may not be secure.

– Notify provider of improper access or use.

– Provider not responsible for third party content, e.g.,

educational material provided from others.

– No warranty concerning any product.

– User assumes risk related to viewing info on user’s computer

via a third-party network.

– Prohibit reproduction or personal use of info protected by

copyright, trademark, etc.

63

Portal Documentation

• Registration form

– Sufficient info to identify patient and link to record.

• Access agreement

– Terms and conditions of portal use.

– Instructions for portal use.

– Disclaimers and warnings.

– Reserve right to terminate for misuse.

– Acknowledgment, agreement and signature

• Proxy agreement

– Sufficient info to identify patient and proxy.

– Define scope and warn patient of proxy rights.

– Signed by patient. 64

Train Staff

• Flag or exclude records that should not be accessed via portal.

• Review portal communications in timely manner.

• Consider sending unsecure e-mail advising patient of

message that is waiting for them.

• Do not rely on portals to communicate important info.

– Patients may not pick it up.

– Communicate separately by:

• Phone or letter.

• Unsecure e-mail or text, if patient has agreed and

comply with HIPAA requirements.

65

Train Staff

• Do not use e-mail to establish a patient-provider

relationship.

• Beware state telemedicine rules.

– Portal may trigger state limits on telemedicine, e.g.,

• Require in-person evaluations to prescribe medication or

engage in certain other actions.

• Require specified consents.

– May cross state lines and result in unauthorized practice

in the other state.

• Ensure you comply with applicable standard of care.

• See AMA Guidelines for e-communication.

66

Train Staff • Portal may increase patient’s exercise of HIPAA rights:

– Request to access records.

• See OCR Guidance re patient’s right to access information at

https://www.hhs.gov/hipaa/for-

professionals/privacy/guidance/access/.

• Must provide records in requested format if reasonable.

– Request amendment of records.

– Accounting of disclosures.

• HITECH allows patient to get a report of certain disclosures.

• Proposed rule would allow patient to get a report of access for

treatment, payment and operations.

• Watch for final rule.

(45 CFR 164.522 to .528) 67

The TCPA in the Health Care

Context

68

Telephone Consumer Protection Act of

1991 (TCPA) •Enacted by Congress in 1991 to protect

consumers by placing limitations on telemarketing “calls”

• Distinction between: residential vs. wireless calls

• Also applies to all text messaging

•FCC issues Declaratory Rulings (DR) that sheds light on the TCPA

• July 10, 2015 DR responds to 21 requests to seek clarification under the TCPA

69

Residential Lines & Consent •Residential Lines

• Restriction on use of artificial/prerecorded voice to deliver message

• Unless prior express written consent

• Exemption from consent:

• Emergencies

• Noncommericial purpose

• Commercial purpose but not telemarketing (no advertisement)

• Delivery of a health care message by/on behalf of a CE or BA

• Message by/on behalf of tax-exempt NFP

70

Wireless Numbers & Consent

•Contacting Wireless Numbers

• More restrictive than residential lines

• Wireless (e.g., cellphone; any service that charges a party for a call)

• Prohibitions:

• On use of an automatic telephone dialing system/artificial or prerecorded voice to initiate calls:

• Advertisements and Telemarketing

• Express, written consent required

• Express consent oral or written if not for advertising or telemarketing

71

July 10, 2015 DR

•TCPA applies to calls and all forms of text messages

•Text messaging - not more similar to emailing

•Phone-to-Phone texting similar to Internet-to-Phone text messaging

•TCPA and the CAN-SPAM Act both apply to unsolicited messages

•Limited exception for healthcare calls (calls that are subject to HIPAA)

72

TCPA’s Healthcare Call

Exception •Prior Express Consent is achieved by

• Giving a health care provide your number

• Only “health care” messages from a provider

• Health care as defined under HIPAA

• Use - “within the scope of the consent given”

• Closely related to purpose for which the number was provided

• Providers should consider:

• Does the call meet HIPAA’s definition of health care?

• Is the call within the scope of the consent?

73

TCPA’s HealthCare Call

Exception •Express Consent (Period of Incapacity)

• Exception applies if a person is incapacitated and a third party provides prior express consent for health care calls

•Non-Telemarketing Healthcare Calls Exemption

• No charge to consumer for text messages, exempted from prior express consent

• Calls must be exigent and have a health care treatment purpose (e.g., appointments)

• Applies to calls subject to HIPAA (Privacy Rule)

74

TCPA’s Healthcare Call

Exception • Several Conditions for the non-telemarketing healthcare

calls exemption include:

• Voice calls/text message - only to a patient who provides wireless number

• Voice calls/text messages – include name/contact info. of provider

• Voice calls/text messages - limited in purpose

• No telemarketing, solicitation, advertising or financial purpose (billing, debt collection, accounting)

• Must comply with HIPAA

• Opting-out must be available and be honored

75

76

Need for Speed Average

smartphone

has more

computer

power than

all of NASA

in 1969

77

Kim C. Stanger

kcstanger@hollandhart.com

(208) 383-3913

Ryan P. Blaney

rblaney@cozen.com

(202) 463-2528

78